cancel
Showing results for 
Search instead for 
Did you mean: 

AssignUserstoADGroup

mubarakshabna_asmi
Participant
0 Kudos

The following is the AssignUserstoADGroup pass:

dn $FUNCTION.sap_getGroupDN(%MSKEY%)$$

changetype modify

+ uniquemember %DN%$rep.$NAME%%

I am assuming dn is the User dn and %DN%$rep.$NAME%% is the group DN.

In the ProvisionADUser task is called from the Workflow how is it supposed to work. What input attribute should be given.

Thanks

S.

Accepted Solutions (0)

Answers (4)

Answers (4)

mubarakshabna_asmi
Participant
0 Kudos

Thanks fo all your replies. My MX_PROVISIONTASK was not properly linked. Once that was done it works.

Former Member
0 Kudos

Hey

This:

ToDSADirect.modEntry !ERROR:Entry does not exist

means that its not returning the DN of the group from the Privilege in the Identity Store. Its finding an invalid entry or value and thus the SQL in sap_getGroupDN is returning the error.

A couple of things spring to mind:

- It uses the audit table to determine the MSKey of the user being operated on. You can check the audit table to ensure that the user you are expecting is logged against the job. If not, its not going to work.

- It uses the repository name set for the job to determine the attribute to return. If you don't have a repository set through the task list somewhere (or directly on the job) , it won't work. Given the error you're getting, this is probably the problem. Its trying to retreive "DN<repname>" and coming back with attribute does not exist...

Confirm that the repository is set and that the privilege for the AD Group has an appropriate DN<repname> attribute...

Peter Wass

mubarakshabna_asmi
Participant
0 Kudos

Peter,

Thanks much for your time and reply.

The problem was I had changed the Task name (made a copy of PF task) and did not change the MX_PROVISIONTASK to reflect the name change. After I set this correctly it works.

I still have a couple of issues, and maybe they are because I am calling the ProvisionAD task from the workflow. I am not sure.

Issues:

1. I am not able to assign multiple groups - only the first on gets assigned

2. I still see the error I mentioned in my initial post in the log files and the job itself seems to run multiple times (I suspect this is because the MX_PROVISIONTASK runs it once and then me calling the ProvisionAD task runs it again).

Any input please. How should all this work. The SAP PF has all these system specific task, are they not supposed to be called individually. And if not how should the process work.

Any inputs and/or direction please.

Thanks

Shabna

Former Member
0 Kudos

Shabna

The SAP PF treats AD groups as privileges. As such, they should be assigned by the privilege assignment, not through user provisioning - you can do it but the SAP PF isn't set up that way. This is why its designed to do one at a time. You have to assign users to groups in AD, not groups to users.

If I can remember the script correction (don't have it in front of me)

It:

- gets the audit entry of the current job

- selects the aValue from MXIV_SENTRIES where attribute = audit entry attribute, mskey= userid and checksum = audit entry checksum

- It gets the current repository from the job

- The aValue is then the privilege mskey which is used to retrieve the group DN%rep.Name% from the group-privilege using getValue

So

- the audit entry which started the job must reflect the assignment of the privilege

- the repository must be correct

If either of those are incorrect then it won't retrieve the group properly.

Former Member
0 Kudos

I'm quite sure dn is the Group-DN while %DN%$rep.$name%% is the user-DN.

If you look at your AD with an LDAP-browser you can see that your groups have member-attributes which store the user-DNs

The PovisionADSUser-Task is supposed to be a sub-task of ProvisionADS. Normally you don't "call" it separately.

Sorry, but I don't really understand your problem or what you intend to do... please clarify.

BR

Michael

mubarakshabna_asmi
Participant
0 Kudos

Michael Thanks for you time

I am using ProvisionADUser Task (Not ProvisionAD because the only difference is the exchange user setup and I dont want it right now).

The AssignUserToADSGroup sub task fails with the following error:

____________________________________________________________________________

05.01.2010 11:42:20 :I:initPass ToDSADirect: AssignUserToADSGroup

05.01.2010 11:42:20 :X:Common attribute ReconnectSize, value '' could not be resolved to integer, assuming 500

05.01.2010 11:42:21 :X:SELECT * FROM MXPROV_ENTRIES WHERE MXP_ACTIONID=? AND MXP_REPOSITORY=?

05.01.2010 11:42:21 :I:AuditId: 998283

05.01.2010 11:42:21 :E:No valid userid found to get group dn

05.01.2010 11:42:21 :I:PrivMSKey:

05.01.2010 11:42:21 :W:PrivDN: !ERROR:Entry does not exist

05.01.2010 11:42:21 :E:Failed storing !ERROR:Entry does not exist

05.01.2010 11:42:21 :E:Exception from Mod operation:ToDSADirect.modEntry !ERROR:Entry does not exist failed with NamingException. (LDAP error: The distinguished name has an invalid syntax)

Explanation: !ERROR:Entry does not exist: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001D1, problem 2006 (BAD_NAME), data 8350, best match of: '!ERROR:Entry does not exist' ]

Remaining name: !ERROR:Entry does not exist

Resolved name: javax.naming.InvalidNameException: !ERROR:Entry does not exist: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001D1, problem 2006 (BAD_NAME), data 8350, best match of:

'!ERROR:Entry does not exist' ]; remaining name '!ERROR:Entry does not exist'

at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2923)

___________________________________________________________________________________

The ToLDAP pass looks like below:

dn $FUNCTION.sap_getGroupDN(%MSKEY%)$$

changetype modify

+member %DN%$rep.$NAME%%

I am a little confused as to how this works. When I give the attributes in the userinterface for the task like firstname , lastname etc, I am assuming I give MXREF_MX_PRIVILEGE for the group to which it should be assigned. Is this correct. If not how do I input which group should be assigned for the new user.

Thanks for all your help.

Thanks

Shabna

Former Member
0 Kudos

I'm sorry but I can't help you here.

If you don't need the ProvisionExchange-Task why don't you simply leave that away/disable it in the original SAP-PF instead of rebuilding it with your custom tasks?

I too think it's quite hard to understand what the SAP PF does in which stage, because you have to understand all the scripts and how they work together.

mubarakshabna_asmi
Participant
0 Kudos

The task I was using is not a custom one. It is from the provisioning framework. I had also tried using the ProvisionAD task with exchange user creation disabled. Still same problem. I just have to figure out how the sap_gerGroupDN script works.

Thanks for your time anyways.

Shabna

mubarakshabna_asmi
Participant
0 Kudos

The task I was using is not a custom one. It is from the provisioning framework. I had also tried using the ProvisionAD task with exchange user creation disabled. Still same problem. I just have to figure out how the sap_gerGroupDN script works.

Thanks for your time anyways.

Shabna

mubarakshabna_asmi
Participant
0 Kudos

Can someone Help me with this Please.